diff --git a/.github/workflows/CryptoMB-design.yml b/.github/workflows/CryptoMB-design.yml new file mode 100644 index 0000000..49cb1a8 --- /dev/null +++ b/.github/workflows/CryptoMB-design.yml @@ -0,0 +1,374 @@ +name: CryptoMB-TLS-handshake-acceleration-for-Istio +services: + example-istiocontrolplane: + name: example-istiocontrolplane + type: IstioOperator + apiVersion: install.istio.io/v1alpha1 + namespace: istio-system + model: istio-base + version: 1.16.0 + settings: + spec: + components: + egress Gateways: + - enabled: true + name: istio-egressgateway + ingress Gateways: + - enabled: true + k8s: + pod Annotations: + proxy.istio.io/config: | + privateKeyProvider: + cryptomb: + pollDelay: 10ms + name: istio-ingressgateway + profile: demo + traits: + meshmap: + edges: [] + id: 0a9190c6-3b94-4497-9b5e-0e26e26a3f4a + label: example-istiocontrolplane + meshmodel-metadata: + isCustomResource: true + isNamespaced: true + primaryColor: '#326CE5' + secondaryColor: '#7aa1f0' + shape: circle + svgColor: ui/public/static/img/meshmodels/kubernetes/color/apiservice-color.svg + svgWhite: ui/public/static/img/meshmodels/kubernetes/white/apiservice-white.svg + position: + posX: 448.11615449152737 + posY: 115.57287677378196 + istio-operator-btexb: + name: istio-operator + type: ClusterRole + apiVersion: rbac.authorization.k8s.io/v1 + model: kubernetes + settings: + rules: + - api Groups: + - authentication.istio.io + resources: + - '*' + verbs: + - '*' + - api Groups: + - config.istio.io + resources: + - '*' + verbs: + - '*' + - api Groups: + - install.istio.io + resources: + - '*' + verbs: + - '*' + - api Groups: + - networking.istio.io + resources: + - '*' + verbs: + - '*' + - api Groups: + - security.istio.io + resources: + - '*' + verbs: + - '*' + - api Groups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + - validatingwebhookconfigurations + verbs: + - '*' + - api Groups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions.apiextensions.k8s.io + - customresourcedefinitions + verbs: + - '*' + - api Groups: + - apps + - extensions + resources: + - daemonsets + - deployments + - deployments/finalizers + - replicasets + verbs: + - '*' + - api Groups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' + - api Groups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - update + - api Groups: + - policy + resources: + - poddisruptionbudgets + verbs: + - '*' + - api Groups: + - rbac.authorization.k8s.io + resources: + - clusterrolebindings + - clusterroles + - roles + - rolebindings + verbs: + - '*' + - api Groups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - create + - update + - api Groups: + - "" + resources: + - configmaps + - endpoints + - events + - namespaces + - pods + - pods/proxy + - pods/portforward + - persistentvolumeclaims + - secrets + - services + - serviceaccounts + - resourcequotas + verbs: + - '*' + traits: + meshmap: + edges: [] + id: f9e95f4b-ffef-4523-917c-1442bb59b53b + label: istio-operator + meshmodel-metadata: + genealogy: "" + isCustomResource: false + isNamespaced: false + logoURL: Created by Lee + model: kubernetes + modelDisplayName: Kubernetes + primaryColor: '#326CE5' + published: true + secondaryColor: '#7aa1f0' + shape: round-rectangle + styleOverrides: '{"height":"22px","width":"16px","padding":"6px"}' + subCategory: Scheduling & Orchestration + svgColor: ui/public/static/img/meshmodels/kubernetes/color/clusterrole-color.svg + svgComplete: "" + svgWhite: ui/public/static/img/meshmodels/kubernetes/white/clusterrole-white.svg + position: + posX: 671.5732114890026 + posY: 194.95822565413835 + istio-operator-danjd: + name: istio-operator + type: Service + apiVersion: v1 + namespace: istio-operator + model: kubernetes + settings: + spec: + ports: + - name: http-metrics + port: 80 + protocol: TCP + target Port: 8383 + selector: + name: istio-operator + traits: + meshmap: + edges: [] + id: d24ca3fc-fb37-40d6-86b7-a2665b24f120 + label: istio-operator + meshmodel-metadata: + genealogy: "" + isCustomResource: false + isNamespaced: true + logoURL: https://github.com/cncf/artwork/blob/master/projects/kubernetes/icon/white/kubernetes-icon-white.svg + model: kubernetes + modelDisplayName: Kubernetes + primaryColor: '#326CE5' + published: true + secondaryColor: '#7aa1f0' + shape: round-triangle + styleOverrides: '{"height":16,"width":17,"padding":12,"background-fit":"none","background-position-y":4.5}' + subCategory: Scheduling & Orchestration + svgColor: ui/public/static/img/meshmodels/kubernetes/color/apiservice-color.svg + svgComplete: "" + svgWhite: ui/public/static/img/meshmodels/kubernetes/white/apiservice-white.svg + position: + posX: 484.9355395872588 + posY: 168.2587641981373 + istio-operator-gblro: + name: istio-operator + type: Deployment + apiVersion: apps/v1 + namespace: istio-operator + model: kubernetes + settings: + spec: + replicas: 1 + revision History Limit: 10 + selector: + match Labels: + name: istio-operator + template: + metadata: + annotations: + prometheus.io/port: "15014" + prometheus.io/scrape: "true" + labels: + name: istio-operator + spec: + containers: + - command: + - operator + - server + - --monitoring-host=127.0.0.1 + - --monitoring-port=15014 + env: + - name: WATCH_NAMESPACE + value: istio-system + - name: LEADER_ELECTION_NAMESPACE + value: istio-operator + - name: POD_NAME + value From: + field Ref: + field Path: metadata.name + - name: OPERATOR_NAME + value: istio-operator + - name: WAIT_FOR_RESOURCES_TIMEOUT + value: 300s + - name: REVISION + value: "" + image: docker.io/istio/operator:1.18.0 + name: istio-operator + resources: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 128Mi + security Context: + allow Privilege Escalation: false + capabilities: + drop: + - ALL + privileged: false + read Only Root Filesystem: true + run As Group: 1337 + run As Non Root: true + run As User: 1337 + service Account Name: istio-operator + traits: + meshmap: + edges: [] + id: 8e79be8c-da6a-49fe-8bc2-6decf12fd7c1 + label: istio-operator + meshmodel-metadata: + genealogy: parent + isCustomResource: false + isNamespaced: true + logoURL: Created by Lee + model: kubernetes + modelDisplayName: Kubernetes + primaryColor: '#326CE5' + published: true + secondaryColor: '#7aa1f0' + shape: round-pentagon + styleOverrides: '{"background-image":"none","border-width":2,"background-opacity":0.5}' + subCategory: Scheduling & Orchestration + svgColor: ui/public/static/img/meshmodels/kubernetes/color/deployment-color.svg + svgComplete: ui/public/static/img/meshmodels/kubernetes/complete/deployment-complete.svg + svgWhite: ui/public/static/img/meshmodels/kubernetes/color/deployment-color.svg + position: + posX: 492.1229787505797 + posY: 234.6048777043293 + istio-operator-ioxyg: + name: istio-operator + type: ClusterRoleBinding + apiVersion: rbac.authorization.k8s.io/v1 + namespace: istio-operator + model: kubernetes + settings: + role Ref: + api Group: rbac.authorization.k8s.io + kind: ClusterRole + name: istio-operator + subjects: + - kind: ServiceAccount + name: istio-operator + namespace: istio-operator + traits: + meshmap: + edges: [] + id: c3ad3045-b7a5-4b15-bafc-55ad9cc2bce6 + label: istio-operator + meshmodel-metadata: + genealogy: "" + isCustomResource: false + isNamespaced: false + logoURL: Created by Lee + model: kubernetes + modelDisplayName: Kubernetes + primaryColor: '#326CE5' + published: true + secondaryColor: '#7aa1f0' + shape: round-rectangle + styleOverrides: '{"height":"22px","width":"16px","padding":"6px", "z-index":9999}' + subCategory: Scheduling & Orchestration + svgColor: ui/public/static/img/meshmodels/kubernetes/color/clusterrolebinding-color.svg + svgComplete: "" + svgWhite: ui/public/static/img/meshmodels/kubernetes/white/clusterrolebinding-white.svg + position: + posX: 583.5433705937176 + posY: 276.8033383692807 + istio-operator-kgmgw: + name: istio-operator + type: ServiceAccount + apiVersion: v1 + namespace: istio-operator + model: kubernetes + traits: + meshmap: + edges: [] + id: 9240267f-d393-4c5d-bdf9-596bacf0ebf0 + label: istio-operator + meshmodel-metadata: + genealogy: "" + isCustomResource: false + isNamespaced: true + logoURL: https://github.com/cncf/artwork/blob/master/projects/kubernetes/icon/white/kubernetes-icon-white.svg + model: kubernetes + modelDisplayName: Kubernetes + primaryColor: '#326CE5' + published: true + secondaryColor: '#7aa1f0' + shape: round-rectangle + styleOverrides: "" + subCategory: Scheduling & Orchestration + svgColor: ui/public/static/img/meshmodels/kubernetes/color/serviceaccount-color.svg + svgComplete: "" + svgWhite: ui/public/static/img/meshmodels/kubernetes/color/serviceaccount-color.svg + position: + posX: 561.5 + posY: 194.5 \ No newline at end of file diff --git a/.github/workflows/httpbin.yaml b/.github/workflows/httpbin.yaml new file mode 100644 index 0000000..5357d4d --- /dev/null +++ b/.github/workflows/httpbin.yaml @@ -0,0 +1,96 @@ +# Copyright Istio Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +################################################################################################## +# httpbin service +################################################################################################## +apiVersion: v1 +kind: ServiceAccount +metadata: + name: httpbin +--- +apiVersion: v1 +kind: Service +metadata: + name: httpbin + labels: + app: httpbin + service: httpbin +spec: + ports: + - name: http + port: 8000 + targetPort: 80 + selector: + app: httpbin +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: httpbin +spec: + replicas: 1 + selector: + matchLabels: + app: httpbin + version: v1 + template: + metadata: + labels: + app: httpbin + version: v1 + spec: + serviceAccountName: httpbin + containers: + - image: docker.io/kong/httpbin + imagePullPolicy: IfNotPresent + name: httpbin + ports: + - containerPort: 80 +--- +apiVersion: networking.istio.io/v1alpha3 +kind: Gateway +metadata: + name: httpbin-gateway +spec: + # The selector matches the ingress gateway pod labels. + # If you installed Istio using Helm following the standard documentation, this would be "istio=ingress" + selector: + istio: ingressgateway + servers: + - port: + number: 80 + name: http + protocol: HTTP + hosts: + - "*" +--- +apiVersion: networking.istio.io/v1alpha3 +kind: VirtualService +metadata: + name: httpbin +spec: + hosts: + - "*" + gateways: + - httpbin-gateway + http: + - match: + - uri: + prefix: /headers + route: + - destination: + port: + number: 8000 + host: httpbin \ No newline at end of file diff --git a/.github/workflows/scheduled-istioCrypto-benchmark.yml b/.github/workflows/scheduled-istioCrypto-benchmark.yml new file mode 100644 index 0000000..2463adb --- /dev/null +++ b/.github/workflows/scheduled-istioCrypto-benchmark.yml @@ -0,0 +1,195 @@ +name: Scheduled Benchmark Tests on Self-hosted Runner +on: + # for triggering manually, provide a test configuration file name or a performance profile name + workflow_dispatch: + inputs: + profile_name: + description: "performance profile to use" + required: false + profile_filename: + description: "test configuration file" + required: false + # scheduled to run on everyhour + schedule: + - cron: '0 * * * *' + +jobs: +# Scheduled Benchmark Test + start-runners-scheduled: + name: Start self-hosted CNCF CIL runners for scheduled test + timeout-minutes: 60 + runs-on: ubuntu-latest + if: ${{ github.event_name == 'schedule' }} + outputs: + github_run_id: ${{ env.GITHUB_RUN_ID }} # use this github_run_id as a suffix for CIL machines and runners + steps: + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Configure CNCF CIL credentials + run: | + chmod +x .github/workflows/scripts/self-hosted-credentails.sh + .github/workflows/scripts/self-hosted-credentails.sh ${{ secrets.CNCF_CIL_TOKEN }} + shell: bash + + - name: Create registration token for CNCF CIL runner + id: getRegToken + run: | + reg_token=$(curl -s -X POST -H "Accept: application/vnd.github.v3+json" \ + -H 'Authorization: token ${{ secrets.GH_ACCESS_TOKEN }}' \ + https://api.github.com/repos/${{github.repository}}/actions/runners/registration-token | jq -r .token) + echo REG_TOKEN=$reg_token >> $GITHUB_ENV + echo REPOSITORY=${{github.repository}} >> $GITHUB_ENV + shell: bash + + # The hostname will be like istioCrypto-fortio-load-1997512481 + - name: Start CNCF CIL runner + id: start-cil-runner + run: | + echo GITHUB_RUN_ID=${{ github.run_id }} >> $GITHUB_ENV + chmod +x .github/workflows/scripts/start-cil-runner.sh + .github/workflows/scripts/start-cil-runner.sh ${{ secrets.cncf_cil_token }} istioCrypto-fortio-load + shell: bash + + scheduled-test: + name: Scheduled Istio-Crypto Benchmark Test + timeout-minutes: 60 + needs: + - start-runners-scheduled + runs-on: istioCrypto-fortio-load-${{ github.run_id }} + if: ${{ github.event_name == 'schedule' }} + steps: + - name: Install dependencies + run: | + echo "Current user: $(whoami)" + echo "Installing kubectl..." + curl -LO https://dl.k8s.io/release/v1.23.2/bin/linux/amd64/kubectl + sudo install -o smp -g smp -m 0755 kubectl /usr/local/bin/kubectl + echo "Installing docker..." + sudo apt update -y + sudo apt install -y jq unzip apt-transport-https ca-certificates software-properties-common + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable" + sudo apt-cache policy docker-ce + sudo apt install -y docker-ce + sudo systemctl status docker + sudo mkdir -p ~/.kube + sudo chmod 777 ~/.kube + curl -LO https://storage.googleapis.com/minikube/releases/latest/minikube-linux-amd64 + sudo install minikube-linux-amd64 /usr/local/bin/minikube + + + - name: Start minikube + run: | + minikube start --memory 5000 + kubectl get po -A + + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Install Istio Operator and Gateway CRD + run: | + cat /proc/cpuinfo | grep avx + curl -L https://istio.io/downloadIstio | sh - + cd istio-1.18.0 + export PATH=$PWD/bin:$PATH + istioctl operator init + pwd + + + + - name: MeshModel Component Register Check + run: | + kubectl config view --minify --flatten > ~/minified_config + mv ~/minified_config ~/.kube/config + echo 'mesheryctl is not installed. Installing mesheryctl client... Standby... (Starting Meshery as well...)' >&2 + # curl -L https://meshery.io/install | ADAPTERS=istio PLATFORM=kubernetes bash - + + output=$(curl -L https://meshery.io/install | PLATFORM=kubernetes bash - 2>&1) + echo $output + url=$(echo "$output" | grep -oP 'http://\S+' | tail -1) + echo "Generated URL: $url" + + #forces meshery to register components and checks + curl --location "${url}/api/system/sync" \ + --header 'meshery-token:${{ secrets.MESHERY_TOKEN }}' \ + --header 'Cookie: meshery-provider=Meshery; meshery.layer5.io_ref=/;token=${{ secrets.MESHERY_TOKEN }}' + + curl --location "${url}/api/system/sync" \ + --header 'meshery-token:${{ secrets.MESHERY_TOKEN }}' \ + --header 'Cookie: meshery-provider=Meshery; meshery.layer5.io_ref=/;token=${{ secrets.MESHERY_TOKEN }}' + + check_endpoint() { + response=$(curl -s "${url}/api/meshmodels/models/kubernetes/components/IstioOperator" \ + -H 'Cookie: meshery-provider=Meshery;token=${{ secrets.MESHERY_TOKEN }}' + ) + total_count=$(echo "$response" | grep -oP '(?<="total_count":)\d+') + + if [[ $total_count -ne 0 ]]; then + echo "Components Registered" + exit 0 + fi + } + + # Set the duration for script execution (in seconds) + duration=$((5 * 60)) + + # Calculate the end time + end_time=$((SECONDS + duration)) + + # Loop until the end time is reached + while [[ $SECONDS -lt $end_time ]]; do + check_endpoint + echo "Checked, Components not registered" + sleep 60 + done + + echo "Waited for 5 minutes components not registered" + + - name: Deploy Istio Crypto design and deploy httpbin application + run: | + chmod +x .github/workflows/scripts/istioCrypto.sh + .github/workflows/scripts/istioCrypto.sh + shell: bash + + - name: Get Date + id: date + run: echo "::set-output name=date::$(date +'%Y-%m-%d-%H.%M.%S')" + + - name: Run Benchmark Tests + uses: layer5io/meshery-smp-action@master + with: + provider_token: ${{ secrets.MESHERY_TOKEN }} + platform: docker + profile_filename: load-test.yaml + endpoint_url: ${{env.ENDPOINT_URL}} + service_mesh: ${{env.SERVICE_MESH}} + load_generator: fortio + profile_name: 'istioCrypto-load-test.yaml' + test_name: '${{ steps.date.outputs.date }}' + + stop-runner-scheduled: + name: Stop self-hosted runner + timeout-minutes: 60 + needs: + - start-runners-scheduled # required to get output from the start-runner job + - scheduled-test # required to wait when the main job is done + runs-on: ubuntu-latest + if: ${{ always() && github.event_name == 'schedule' }} # required to stop the runner even if the error happened in the previous jobs + steps: + - name: Checkout Code + uses: actions/checkout@v2 + + + - name: Stop CNCF CIL runner + run: | + chmod +x .github/workflows/scripts/stop-cil-runner.sh + .github/workflows/scripts/stop-cil-runner.sh ${{ secrets.cncf_cil_token }} istioCrypto-fortio-load-${{ needs.start-runners-scheduled.outputs.github_run_id }} + shell: bash + + - name: Remove CNCF CIL runner from github repository + if: always() + run: | + runner_id=$(curl -s -H 'Authorization: token ${{ secrets.GH_ACCESS_TOKEN }}' -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{github.repository}}/actions/runners | jq '.runners[] | select(.name == "istioCrypto-fortio-load-${{ needs.start-runners-scheduled.outputs.github_run_id }}") | {id}' | jq -r .id) + curl -X DELETE -H 'Authorization: token ${{ secrets.GH_ACCESS_TOKEN }}' -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/${{github.repository}}/actions/runners/$runner_id + shell: bash diff --git a/.github/workflows/scripts/generate_csr.sh b/.github/workflows/scripts/generate_csr.sh new file mode 100644 index 0000000..4904516 --- /dev/null +++ b/.github/workflows/scripts/generate_csr.sh @@ -0,0 +1,11 @@ + +# generate CA cerficate +openssl genrsa -out fortio.com.key 2048 +openssl req -new -x509 -days 365 -key fortio.com.key -subj "/C=CN/ST=GD/L=SZ/O=fortio.com, Inc./CN=fortio.com Root CA" -out fortio.com.crt + +# generate CSR +openssl req -newkey rsa:2048 -nodes -keyout httpbin.fortio.com.key -subj "/C=CN/ST=GD/L=SZ/O=fortio.com, Inc./CN=*.fortio.com" -out httpbin.fortio.com.csr +openssl x509 -req -extfile <(printf "subjectAltName=IP:10.239.241.168,DNS:fortio.com,DNS:www.fortio.com") -days 365 -in httpbin.fortio.com.csr -CA fortio.com.crt -CAkey fortio.com.key -CAcreateserial -out httpbin.fortio.com.crt + +# upload key and crt as a secret +kubectl create -n istio-system secret tls httpbin-fortio-credential --key=httpbin.fortio.com.key --cert=httpbin.fortio.com.crt \ No newline at end of file diff --git a/.github/workflows/scripts/istioCrypto.sh b/.github/workflows/scripts/istioCrypto.sh new file mode 100644 index 0000000..d1b5dd5 --- /dev/null +++ b/.github/workflows/scripts/istioCrypto.sh @@ -0,0 +1,54 @@ +#!/usr/bin/env bash + + +# Istio, crypto deployment + +export MESH_NAME='Istio' +export SERVICE_MESH='ISTIO' + +kubectl get pods -n meshery + +echo "Meshery has been installed." +# mesheryctl system login --provider None + +# mesheryctl mesh deploy istio --watch + +sleep 200 + + +# so that istio operator gets initialized + +# Applying/deploying crpyto pattern +echo "Applying IstioCrypto Design" +mesheryctl pattern apply -f ./.github/workflows/CryptoMB-design.yaml --token "./.github/workflows/auth.json" + +sleep 200 + +kubectl get all -n istio-operator + +# deplyoing httbin application +echo "OnBoarding HTTP Design" +mesheryctl app onboard -f ../httpbin.yaml -s "Kubernetes Manifest" --token "./.github/workflows/auth.json" + +sleep 100 + +export INGRESS_NAME=istio-ingressgateway +export INGRESS_NS=istio-system + +kubectl get svc "$INGRESS_NAME" -n "$INGRESS_NS" + + +export INGRESS_HOST=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +export INGRESS_PORT=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.spec.ports[?(@.name=="http2")].port}') +export SECURE_INGRESS_PORT=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.spec.ports[?(@.name=="https")].port}') +export TCP_INGRESS_PORT=$(kubectl -n "$INGRESS_NS" get service "$INGRESS_NAME" -o jsonpath='{.spec.ports[?(@.name=="tcp")].port}') + + +export GATEWAY_URL=http://$INGRESS_HOST:$INGRESS_PORT/headers + +# mesheryctl perf apply --file $GITHUB_WORKSPACE/.github/$perf_filename -t ~/auth.json --url "$endpoint_url" --mesh "$service_mesh" --name "$test_name" --load-generator "$load_generator" $perf_profile_name -y + +echo "Service Mesh: $MESH_NAME - $SERVICE_MESH" +echo "Gateway URL: $GATEWAY_URL" +echo "ENDPOINT_URL=$GATEWAY_URL >> $GITHUB_ENV +echo "SERVICE_MESH=$SERVICE_MESH" >> $GITHUB_ENV \ No newline at end of file